A new Telegram bug has been recently discovered which leaks the public IP addresses of the callers. It appears that the reason for this is a default configurations option which has been found to cause this behavior.

A new security report reveals that the popular Telegram messenger app contains a vulnerability. The interesting characteristic is that it is not based on bad code, but by the way the default settings are modeled. The Telegram bug by itself is caused by the voice calls feature, the default options are to carry them out through the peer-to-peer network. The analysis of this function shows that the IP address of the user initiating the call will be recorded in the Telegram console logs. This means that all client having this feature can read the IP address of their respective call partner. Interestingly not all Telegram clients have a console log.

However there is a way to fix the issue by changing the default options: The users need to navigate to the “Settings” page, opening the “Private and Security” tab, then to the “Voice Calls” section and modifying the “Peer-to-Peer” option to “Never”. This will reroute thte calls through the Telegram server which automatically hide the IP addresses and the log messages.

A proof-of-concept demonstration has already been posted to verify the issue. Following the disclosure to the Telegram security team the CVE-2018-17780 advisory has been assigned to it. The researcher that reported the vulnerability has been awarded a bug bounty of €2,000. The associated description of the bug reads the following:

Useful Links

Other Mediaops Sites

Our website uses cookies. By continuing to browse the website you are agreeing to our use of cookies. For more information on how we use cookies and how you can disable them, please read our Privacy Policy.